[FreeBSD-Announce] vBSDcon Registrations Only Open For 30 More Days!
nightrecon at hotmail.com
Mon Sep 23 20:29:49 UTC 2013
Brett Glass wrote:
> It's good to see corporate support of BSD, but at the same time I
> have mixed feelings about certain corporations -- Verisign among
> them -- hosting BSD-related conferences or becoming involved in the
> development of BSD-based operating systems. Why? Because Verisign,
> based in Reston, Virginia (the city next door to Vienna, VA, home
> of the NSA), has strong ties to this shadowy agency.
No. I used to work right down the street from Network Solutions (now known
as Verisign) in Herndon. Indeed, I had job offerings from them but felt I was
better off to stay where I was. The NSA is headquartered at Ft Meade, near
Columbia in Maryland. I worked there for 8 years? The CIA headquarters is in
Mclean, Virgina, which is right next door to Vienna. Reston/Herndon is a few
miles down the Dulles Toll Rd to the west. I've been to all these places, so
this is not some MapQuest google for me.
> The NSA, in
> turn -- as reported in documents recently leaked by Edward Snowden
> -- has a very strong interest in weakening the security of
> cryptographic algorithms, cryptographic software, and operating
> systems. We may want to look this gift horse very carefully in the
> mouth, or at least monitor very closely "contributions" of code
> that might introduce backdoors or weaknesses.
On some level I agree with this - to a point. Examine how the NSA maneuvered
the NIST to approve and mandate the FIPS-140 protocols, where deeply
concealed was a known weak prng. To some of us this is not news - we've
known it for a long time. Arguments of pro vs con, good vs evil, ad
infinitum ad nauseum, etc, are better served in a different venue.
It is so much easier to get away with concealing such things inside the
closed-source paradigm. What I like and admire with open source is the code
is out there in public for all to examine. These truly arcane crypto stuffs
operate at such a high level of mathematical complexity that even very
highly skilled cryptographer/mathematicians argue amongst themselves.
I am just not that smart, or that highly educated. There are some in the
open source community who do have very large propellers on their beanie
caps. I defer to them simply because they are smarter then me. I would trust
them long before I would trust closed source.
I agree about the 'looking the gift horse in the mouth' concept. Bear in
mind, however, some of the guys at NIST are pretty smart too. And yet this
FIPS-140/prng stuff went right by them. My suggestion is for FreeBSD (indeed
open source in general) to try and engage, include, and attract to the
community the kinds of elite mathematician who may have the facilities to
examine the code at a higher level than can dummies like me.
Whenever The Citadel wants the public to fixate on any one particular
brouhaha I know they are trying to get everyone looking in a particular
direction whilst they are pulling something else. Verisign may very well
have some other obfuscated agenda. Take a step backwards and try to obtain
some view of the bigger picture (hint). Will not elaborate here, even though
I do have some crackpot ideas.
I find it highly ironic:
I got no end of amusement from this. Just my $ 0.02.
More information about the freebsd-questions